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The overall classification of this 

presentation is 


All slides and materiels contained in this 
presentation should be considered 
classified TS//SI//NF 

(unless otherwise noted) 
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BADDECISION Overview 
BADDECISION Components 
BADDECISION Prerequisites 
BADDECISION Operational Flow 
^ BADDECISION Step Through 
>■ Instructor-led Demos and Labs 
>■ BADDECISION Pros / Cons 
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At The End... AC ? ESS 

You should be able to.... I 

>• Understand BADDECISION Components I 
-Understand the BADDECISION Prereqs. I 
— Conduct a BADDECISION Operation. I 
List the Pros / Cons of NIGHTSTAND. H 
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^ BADDECISION is an “802.11 CNE tool that 
uses a true man-in-the-middle attack and a 
frame injection technique to redirect a 
target client to a FOXACID server.” 

>■ Takes advantage of shared open medium 
and the HTTP protocol. 

>> Works for WPA/WPA2! 
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BADDECISION Prerequisites ACCESS 

^■ 

>■ Working BLINDDATE Survey! 

Client on the Target network 

Security Level: WPA/WPA2 

>■ Ability to maintain a reliable connection to 
a target network. 

^ Don’t forget FOXACID Tag! 
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BADDECISION Components ACCESS 

>■ HAPPYHOUR 
>► SECONDDATE 
»■ Open Sources Tools 

macchanger 
wireshark 
nmap 
ettercap 
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Preparation 



Target 

Client 

IP: 192.168.1.2 

MAC: BB 
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Point 

IP: 192.168.1.1 

MAC: AA 


> 


Operator 


IP: 192.168.1.3 
MAC: CC 
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Point 


IP: 192 . 168 . 1.1 

MAC: AA 


Hey Access 
Point! Send 
everything 
destined for IP 
192.168.1.2 to 
MAC CC. 


Operator 


IP: 192 . 168 . 1.3 

MAC: CC 
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\Ccess Point 


IP: 192.168.1.1 

MAC: AA 


Target 

Client 


IP: 192.168.1.2 

MAC: BB 


Hey Target 
Client! Send 
everything 
destined for IP 
192.168.1.1 to 
MAC CC. 


Operator 
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Overview of 

Operational 

Scenario 

>• Operator with 

BLINDDATE 

System. 

>■ FOXACID Tag 
issued for Target. 

Target Client 
browsing the 
Internet via web 
browser © 
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Webpage Request 

>■ Target issues 
HTTP GET Request 
to webpage of 
interest (cnn.com) 
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Injection 

>■ Operate uses 
SECONDDATE to 
inject a redirection 
payload at Target 
Client. 

»■ Target Client’s 
original HTTP GET 
Request continues 
on it’s normal path. 



Operator 
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Refresh and 
Covert Request 

>*■ Injected payload 
forces Target Client 
to refresh and send 
another HTTP GET 
Request to desired 
webpage. 

>- Covert Request 
is issued by Target 
Client to FOXACID 
Server. 
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FOXACID 
Request Received 

»■ FOXACID 
receives request 
from entity. 

^ Entity is 
validated as Target 
Client by FOXACID 
Tag. 

>- Response to 
original HTTP GET 
Request is dropped 
(but don’t worry, 
that’s good) 
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FOXACID 
Browser Survey 

>■ FOXACID Server 
instantiates 
browser survey on 
Target Client to 
detect 

vulnerabilities. 
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FOXACID 
Browser Survey 

>■ FOXACID Server 
instantiates 
browser survey on 
Target Client to 
detect 

vulnerabilities. 
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Survey, Payload, 
Exploitation 

^Covert 
communicates 
continue between 
FOXACID and 
Target until found 
not vulnerabilities 
or exploited. 

>- Target Client 
continues normal 
webpage browsing, 
completely unaware 
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WHACKED! 

>■ That’s the 
ultimate goal. 
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BADDECISION Step Through ACCESS 

- - ' — r — i - . - " _ 7 - 

>■ Let’s go through this together... 

>■... because there are many more pieces! 
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BADDECISION Demos and Latff CESS 


>■ Grab a partner! 

>■ One Target Client, one Operator. 
Have fun getting whacked! 
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BADDECISION Pros / Cons ACCESS 


Pros 

Works for WPA / WPA2 networks. 

Can reliability see all communications 
between target and FOXACID. 

>■ Cons 

Larger signature than NIGHTSTAND. 

Requires higher SNR to maintain reliable 
communications between target and FOXACID. 
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